Good I think for a good understanding, it is not enough to just translate something from MSDN or Wikipedia, Explanatory Material here.
Windows Identity Foundation (WIF) is a Microsoft software framework for creating "Identity-Aware" applications. It provides Apis for building ASP.NET or WCF based on security token services, as well as tools for building applications capable of "Claims-Aware recognition".
Claim-Aware is a common way for applications to get information about who is logging (Identity) within the corporation, or even on the Internet. It also provides a very solid approach to running intranet or internet applications.
STS Authentication works by issuing a token by an identity certifying agent. Read about STS here
An example of authentication with STS is on this site: Nfp SP with accessing with the certified digital option.
Now that you’re already contextualized, time to get your hands dirty.
To develop an application with STS authentication, you first need a server that is digitally signed so that it can issue your token.
Then you need to add this certificate to your Trustedissuer List (example here)
After all this it is necessary to implement an authentication based on Windows Federated Authentication. It is very common to use smartcards for this, just putting your PIN number and unlocking access to the application. Ah, the Card in turn needs to be made by a reliable agency, For example, the official press.
The example I will use is using an application written in Asp.net MVC authenticating by WIF.
public abstract class SecurityController : Controller
{
// Fields
private IdentitySection _identityConfig;
// Methods
[AcceptVerbs(HttpVerbs.Post), ValidateInput(false), AllowAnonymous]
protected ActionResult ProcessToken()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (wSFederationAuthenticationModule.CanReadSignInResponse(System.Web.HttpContext.Current.Request, true))
{
str = System.Web.HttpContext.Current.Request.Form["wctx"];
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
[AllowAnonymous]
public ActionResult SignIn(string issuer)
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (!base.User.Identity.IsAuthenticated)
{
str =
new SignInRequestMessage(new Uri(string.IsNullOrEmpty(issuer) ? wSFederationAuthenticationModule.Issuer : issuer),
wSFederationAuthenticationModule.Realm, wSFederationAuthenticationModule.Reply).WriteQueryString();
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
public ActionResult SignOut()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
if (base.User.Identity.IsAuthenticated)
{
wSFederationAuthenticationModule.SignOut(false);
}
return new RedirectResult(wSFederationAuthenticationModule.Reply);
}
// Properties
protected IdentitySection IdentityConfig
{
get
{
return (this._identityConfig ?? (this._identityConfig = (IdentitySection)ConfigurationManager.GetSection("federatedMvc.identity")));
}
}
}
federatedMvc.identity é uma seção do seu Web.Config que conterá suas chaves de segurança para o seu servidor STS.
For example:
<federatedMvc.identity securityController="Seguranca">
<authenticationUris>
<add type="Certificate" uri="https://CapsuleCorp/Identity.STS.Certificado/Login.aspx" />
</authenticationUris>
</federatedMvc.identity>
Then you need to add the section <microsoft.identityModel>
on your web.config as well.
and then point out the necessary items as an example:
<service>
<audienceUris>
<add value="http://CapsuleCorp.com/FindDragonBalls" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" persistentCookiesOnPassiveRedirects="false"
issuer="https://CapsuleCorp.com/Identity.STS.Certificado/Login.aspx"
realm="http://CapsuleCorp.com/realm" reply="http://CapsuleCorp.com/home" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=CapsuleCert" thumbprint="89cf12ef1f36a9bacaa4e813a44bb699bb46c359" />
</trustedIssuers>
</issuerNameRegistry>
</service>
after that Voce can consult all the resumed Claims by the Claim service,
deny access or redirect to somewhere, then the sky will be the limit. And with this, based on each Claim, you will be able to direct your efforts, any questions do not hesitate to ask.
The one who voted -1, leave a comment so I can adjust the answer in a way you understand too.
– okevinlira